protector_postcommon()   F
last analyzed

Complexity

Conditions 75
Paths > 20000

Size

Total Lines 211
Code Lines 117

Duplication

Lines 0
Ratio 0 %

Importance

Changes 1
Bugs 1 Features 0
Metric Value
cc 75
eloc 117
c 1
b 1
f 0
nc 944292140
nop 0
dl 0
loc 211
rs 0

How to fix   Long Method    Complexity   

Long Method

Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.

For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.

Commonly applied refactorings include:

1
<?php
2
3
use Xmf\Request;
0 ignored issues
show
Bug introduced by
This use statement conflicts with another class in this namespace, Request. Consider defining an alias.

Let?s assume that you have a directory layout like this:

.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php

and let?s assume the following content of Bar.php:

// Bar.php
namespace OtherDir;

use SomeDir\Foo; // This now conflicts the class OtherDir\Foo

If both files OtherDir/Foo.php and SomeDir/Foo.php are loaded in the same runtime, you will see a PHP error such as the following:

PHP Fatal error:  Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php

However, as OtherDir/Foo.php does not necessarily have to be loaded and the error is only triggered if it is loaded before OtherDir/Bar.php, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias:

// Bar.php
namespace OtherDir;

use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore.
Loading history...
4
5
/**
6
 * @return bool
7
 */
8
function protector_postcommon()
9
{
10
    global $xoopsUser, $xoopsModule;
11
12
    $uname = Request::getString('uname', '', 'POST');
13
    $pass = Request::getString('pass', '', 'POST');
14
    $autologin_uname = Request::getString('autologin_uname', '', 'COOKIE');
15
    $autologin_pass = Request::getString('autologin_pass', '', 'COOKIE');
16
17
    // patch for 2.2.x from xoops.org (I know this is not so beautiful...)
18
    if (defined('XOOPS_VERSION') && substr(XOOPS_VERSION, 6, 3) > 2.0) {
19
        $requestUri = Request::getString('REQUEST_URI', '', 'SERVER');  // Fetch the REQUEST_URI from the server superglobal
20
        if (false !== stripos($requestUri, 'modules/system/admin.php?fct=preferences')) {
21
            /** @var XoopsModuleHandler $module_handler */
22
            $module_handler = xoops_getHandler('module');
23
24
            // Fetch the 'mod' parameter from the GET request and cast it to an integer
25
            $mod = Request::getInt('mod', 0, 'GET');
26
27
            /** @var XoopsModule $module */
28
            $module = 0 !== $mod ? $module_handler->get($mod) : null;
29
30
            if (is_object($module)) {
31
                $module->getInfo();
32
            }
33
        }
34
    }
35
36
    // configs writable check
37
    $requestUriForWritableCheck = Request::getString('REQUEST_URI', '', 'SERVER');
38
    if ($requestUriForWritableCheck === '/admin.php' && !is_writable(dirname(__DIR__) . '/configs')) {
39
        trigger_error('You should turn the directory ' . dirname(__DIR__) . '/configs writable', E_USER_WARNING);
40
    }
41
42
    // Protector object
43
    require_once dirname(__DIR__) . '/class/protector.php';
44
    $db        = XoopsDatabaseFactory::getDatabaseConnection();
45
    $protector = Protector::getInstance();
46
    $protector->setConn($db->conn);
47
    $protector->updateConfFromDb();
48
    $conf = $protector->getConf();
49
    if (empty($conf)) {
50
        return true;
51
    } // not installed yet
52
53
    // phpmailer vulnerability
54
    // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
55
    if (in_array(substr(XOOPS_VERSION, 0, 12), ['XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'])) {
56
        /** @var XoopsConfigHandler $config_handler */
57
        $config_handler    = xoops_getHandler('config');
58
        $xoopsMailerConfig = $config_handler->getConfigsByCat(XOOPS_CONF_MAILER);
59
        if ($xoopsMailerConfig['mailmethod'] === 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') === 'ee1c09a8e579631f0511972f929fe36a') {
60
            echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>';
61
        }
62
    }
63
64
    // global enabled or disabled
65
    if (!empty($conf['global_disabled'])) {
66
        return true;
67
    }
68
69
    // group1_ips (groupid=1)
70
    if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) {
71
        $group1_ips = $protector->get_group1_ips(true);
72
        if (implode('', array_keys($group1_ips))) {
73
            $group1_allow = $protector->ip_match($group1_ips);
74
            if (empty($group1_allow)) {
75
                die('This account is disabled for your IP by Protector.<br>Clear cookie if you want to access this site as a guest.');
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
76
            }
77
        }
78
    }
79
80
    // reliable ips
81
    $remoteAddr = Request::getString('REMOTE_ADDR', '', 'SERVER');
82
    $reliable_ips = isset($conf['reliable_ips']) ? unserialize($conf['reliable_ips'], ['allowed_classes' => false]) : null;
83
84
    if (is_array($reliable_ips)) {
85
        foreach ($reliable_ips as $reliable_ip) {
86
            if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $remoteAddr)) {
87
                return true;
88
            }
89
        }
90
    }
91
92
    // user information (uid and can be banned)
93
    $can_ban = true;
94
    $uid = 0;
95
96
    if (isset($xoopsUser) && is_object($xoopsUser)) {
97
        $uid     = $xoopsUser->getVar('uid');
98
        $userGroups = $xoopsUser->getGroups();
99
        $bip_except = isset($conf['bip_except']) ? unserialize($conf['bip_except'], ['allowed_classes' => false]) : [];
100
101
        $can_ban = (!empty($userGroups) && !empty($bip_except)) ? (count(array_intersect($userGroups, $bip_except)) ? false : true) : true;
102
    } else {
103
        // login failed check
104
        if ((!empty($uname) && !empty($pass)) || (!empty($autologin_uname) && !empty($autologin_pass))) {
105
            $protector->check_brute_force();
106
        }
107
    }
108
109
    // CHECK for spammers IPS/EMAILS during POST Actions
110
    if (isset($conf['stopforumspam_action']) && $conf['stopforumspam_action'] !== 'none') {
111
        $protector->stopforumspam($uid);
112
    }
113
114
    // If precheck has already judged that they should be banned
115
    if ($can_ban && $protector->_should_be_banned) {
116
        $protector->register_bad_ips();
117
    } elseif ($can_ban && $protector->_should_be_banned_time0) {
118
        $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
119
    }
120
121
    // DOS/CRAWLER skipping based on 'dirname' or getcwd()
122
    $dos_skipping  = false;
123
    $skip_dirnames = isset($conf['dos_skipmodules']) ? explode('|', $conf['dos_skipmodules']) : [];
124
    if (!is_array($skip_dirnames)) {
0 ignored issues
show
introduced by
The condition is_array($skip_dirnames) is always true.
Loading history...
125
        $skip_dirnames = [];
126
    }
127
    if (isset($xoopsModule) && is_object($xoopsModule)) {
128
        if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) {
129
            $dos_skipping = true;
130
        }
131
    } else {
132
        foreach ($skip_dirnames as $skip_dirname) {
133
            if ($skip_dirname && false !== strpos(getcwd(), $skip_dirname)) {
134
                $dos_skipping = true;
135
                break;
136
            }
137
        }
138
    }
139
140
    // module can control DoS skipping
141
    if (defined('PROTECTOR_SKIP_DOS_CHECK')) {
142
        $dos_skipping = true;
143
    }
144
145
    // DoS Attack
146
    if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) {
147
        $protector->output_log($protector->last_error_type, $uid, true, 16);
148
    }
149
150
    // check session hi-jacking
151
    $masks = $conf['session_fixed_topbit'] ?? null;
152
    if (is_string($masks)) {
153
        $maskArray = explode('/', $masks);
154
    } else {
155
        $maskArray = []; // Or some default value that makes sense for your application
156
    }
157
    $ipv4Mask = empty($maskArray[0]) ? 24 : $maskArray[0];
158
    $ipv6Mask = $maskArray[1] ?? 56;
159
    $ip = \Xmf\IPAddress::fromRequest();
160
    $maskCheck = true;
161
    if (isset($_SESSION['protector_last_ip'])) {
162
        $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], $ipv4Mask, $ipv6Mask);
163
    }
164
    if (!$maskCheck) {
165
        if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'], ['allowed_classes' => false])))) {
166
            $protector->purge(true);
167
        }
168
    }
169
    $_SESSION['protector_last_ip'] = $ip->asReadable();
170
171
    // SQL Injection "Isolated /*"
172
    if (!$protector->check_sql_isolatedcommentin((bool)(isset($conf['isocom_action']) ? $conf['isocom_action'] & 1 : 0))) {
173
        if (($conf['isocom_action'] & 8) && $can_ban) {
174
            $protector->register_bad_ips();
175
        } elseif (($conf['isocom_action'] & 4) && $can_ban) {
176
            $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
177
        }
178
        $protector->output_log('ISOCOM', $uid, true, 32);
179
        if ($conf['isocom_action'] & 2) {
180
            $protector->purge();
181
        }
182
    }
183
184
    // SQL Injection "UNION"
185
    if (!$protector->check_sql_union((bool)(isset($conf['union_action']) ? $conf['union_action'] & 1 : 0))) {
186
        if (($conf['union_action'] & 8) && $can_ban) {
187
            $protector->register_bad_ips();
188
        } elseif (($conf['union_action'] & 4) && $can_ban) {
189
            $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
190
        }
191
        $protector->output_log('UNION', $uid, true, 32);
192
        if ($conf['union_action'] & 2) {
193
            $protector->purge();
194
        }
195
    }
196
197
    if (!empty($_POST)) {
198
        // SPAM Check
199
        if (is_object($xoopsUser)) {
200
            if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) {
201
                $protector->spam_check((int)$conf['spamcount_uri4user'], $xoopsUser->getVar('uid'));
202
            }
203
        } elseif ($conf['spamcount_uri4guest']) {
204
            $protector->spam_check((int)$conf['spamcount_uri4guest'], 0);
205
        }
206
207
        // filter plugins for POST on postcommon stage
208
        $protector->call_filter('postcommon_post');
209
    }
210
211
    // register.php Protection - both core and profile module have a register.php
212
    // There should be an event to trigger this check instead of filename sniffing.
213
    $scriptFilename = Request::getString('SCRIPT_FILENAME', '', 'SERVER');
214
    if (basename($scriptFilename) == 'register.php') {
215
        $protector->call_filter('postcommon_register');
216
    }
217
218
    return null;
219
}
220